JSON beautified

This commit is contained in:
Alexandre Dulaunoy 2016-03-03 07:22:28 +01:00
parent 90ba833fe0
commit ba69a1f12b

View file

@ -1,351 +1,667 @@
{ {
"version" : 1,
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
"authors": ["Alexandre Dulaunoy", "Florian Roth", "Thomas Schreck", "Various"],
"type": "Adversary Groups",
"groups" : ["Comment Crew","Putter Panda","Sofacy","APT 29","Turla Group","Energetic Bear","Sandworm","Anunak","TeamSpy Crew","BuhTrap","Putter Panda","UPS","IXESHE","APT 16","Aurora Panda","Wekby","Axiom","Shell Crew","Naikon","Lotus Blossom","Hurricane Panda","Emissary Panda","Stone Panda","Nightshade Panda","Hellsing","Night Dragon","Mirage","Anchor Panda","NetTraveler","Ice Fog","HiddenLynx","Beijing Group","Pirate Panda","Radio Panda","Dagger Panda","Samurai Panda","Impersonating Panda","Violin Panda","Toxic Panda","Temper Panda","Flying Kitten","Viking Jackal","Cutting Kitten","Rebel Jackal","Stalker Panda","Berserk Bear","Dizzy Panda","Predator Panda","Pitty Panda","Wet Panda","Union Panda","Wolf Spider","Boulder Bear","Lotus Panda","Shark Spider","Silent Chollima","Viceroy Tiger","Pizzo Spider","Corsair Jackal","Charming Kitten","Deadeye Jackal","Spicy Panda","Magic Kitten"],
"details": [ "details": [
{ {
"group": "Comment Crew", "synonyms": [
"Comment Panda",
"PLA Unit 61398",
"APT 1",
"Advanced Persistent Threat 1",
"Byzantine Candor",
"Group 3",
"TG-8223"
],
"country": "CN",
"refs": [
"https://en.wikipedia.org/wiki/PLA_Unit_61398",
"http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf"
],
"description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks", "description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks",
"refs": ["https://en.wikipedia.org/wiki/PLA_Unit_61398", "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf"], "group": "Comment Crew"
},
{
"country": "CN", "country": "CN",
"synonyms": ["Comment Panda","PLA Unit 61398", "APT 1","Advanced Persistent Threat 1","Byzantine Candor","Group 3","TG-8223"] "group": "Stalker Panda"
}, },
{ {
"group": "Stalker Panda", "country": "CN",
"country": "CN" "group": "Wet Panda"
}, },
{ {
"group": "Wet Panda", "country": "CN",
"country": "CN" "group": "Predator Panda"
}, },
{ {
"group": "Predator Panda", "country": "CN",
"country": "CN" "group": "Union Panda"
}, },
{ {
"group": "Union Panda", "country": "CN",
"country": "CN" "group": "Spicy Panda"
}, },
{ {
"group": "Spicy Panda", "country": "CN",
"country": "CN" "group": "Eloquent Panda"
}, },
{ {
"group": "Eloquent Panda", "country": "CN",
"country": "CN" "refs": [
}, "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/"
{ ],
"group": "Emissary Panda",
"description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.", "description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.",
"refs": ["http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/"], "group": "Emissary Panda"
"country": "CN"
}, },
{ {
"group": "Dizzy Panda", "synonyms": [
"synonyms": ["LadyBoyle"] "LadyBoyle"
],
"group": "Dizzy Panda"
}, },
{ {
"group": "Putter Panda", "synonyms": [
"PLA Unit 61486",
"APT 2",
"Group 36",
"APT-2",
"MSUpdater",
"4HCrew",
"SULPHUR"
],
"country": "CN",
"refs": [
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"
],
"description": "The CrowdStrike Intelligence team has been tracking this particular unit since 2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486. ", "description": "The CrowdStrike Intelligence team has been tracking this particular unit since 2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486. ",
"refs": ["http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"], "group": "Putter Panda"
"country": "CN",
"synonyms": ["PLA Unit 61486", "APT 2", "Group 36","APT-2","MSUpdater","4HCrew","SULPHUR"]
}, },
{ {
"group": "UPS", "synonyms": [
"refs": ["https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html"], "Gothic Panda",
"TG-0110",
"APT 3",
"Group 6"
],
"country": "CN", "country": "CN",
"synonyms": ["Gothic Panda","TG-0110","APT 3","Group 6"] "refs": [
"https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html"
],
"group": "UPS"
}, },
{ {
"group": "IXESHE", "synonyms": [
"Numbered Panda",
"TG-2754",
"BeeBus",
"Group 22",
"DynCalc",
"Crimson Iron"
],
"country": "CN",
"refs": [
"http://www.crowdstrike.com/blog/whois-numbered-panda/"
],
"description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.", "description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.",
"refs": ["http://www.crowdstrike.com/blog/whois-numbered-panda/"], "group": "IXESHE"
},
{
"country": "CN", "country": "CN",
"synonyms": ["Numbered Panda", "TG-2754", "BeeBus", "Group 22", "DynCalc", "Crimson Iron"] "refs": [
"https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html"
],
"group": "APT 16"
}, },
{ {
"group": "APT 16", "synonyms": [
"refs": ["https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html"], "APT 17",
"country": "CN" "Deputy Dog",
}, "Group 8"
{ ],
"group": "Aurora Panda",
"refs": ["http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html"],
"country": "CN", "country": "CN",
"synonyms": ["APT 17", "Deputy Dog", "Group 8"] "refs": [
"http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html"
],
"group": "Aurora Panda"
}, },
{ {
"group": "Wekby", "synonyms": [
"refs": ["https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828"], "Dynamite Panda",
"TG-0416",
"APT 18",
"SCANDIUM"
],
"country": "CN", "country": "CN",
"synonyms": ["Dynamite Panda", "TG-0416", "APT 18", "SCANDIUM"] "refs": [
"https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828"
],
"group": "Wekby"
}, },
{ {
"group": "Axiom", "synonyms": [
"refs": ["http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/"], "Winnti Group",
"Tailgater Team",
"Group 72",
"Group72",
"Tailgater",
"Ragebeast"
],
"country": "CN", "country": "CN",
"synonyms": ["Winnti Group", "Tailgater Team","Group 72","Group72","Tailgater","Ragebeast"] "refs": [
"http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/"
],
"group": "Axiom"
}, },
{ {
"group": "Shell Crew", "synonyms": [
"refs": ["http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf"], "Deep Panda",
"WebMasters",
"APT 19",
"KungFu Kittens",
"Black Vine",
"Group 13",
"PinkPanther",
"Sh3llCr3w"
],
"country": "CN", "country": "CN",
"synonyms": ["Deep Panda", "WebMasters", "APT 19", "KungFu Kittens", "Black Vine", "Group 13", "PinkPanther", "Sh3llCr3w"] "refs": [
"http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf"
],
"group": "Shell Crew"
}, },
{ {
"group": "Naikon", "synonyms": [
"refs": ["https://securelist.com/analysis/publications/69953/the-naikon-apt/"], "PLA Unit 78020",
"APT 30",
"Override Panda",
"Camerashy"
],
"country": "CN", "country": "CN",
"synonyms": ["PLA Unit 78020", "APT 30", "Override Panda", "Camerashy"] "refs": [
"https://securelist.com/analysis/publications/69953/the-naikon-apt/"
],
"group": "Naikon"
}, },
{ {
"group": "Lotus Blossom", "synonyms": [
"refs": ["https://securelist.com/blog/research/70726/the-spring-dragon-apt/"], "Spring Dragon",
"ST Group"
],
"country": "CN", "country": "CN",
"synonyms": ["Spring Dragon","ST Group"] "refs": [
"https://securelist.com/blog/research/70726/the-spring-dragon-apt/"
],
"group": "Lotus Blossom"
}, },
{ {
"group": "Lotus Panda", "synonyms": [
"Elise"
],
"country": "CN", "country": "CN",
"synonyms": ["Elise"] "group": "Lotus Panda"
}, },
{ {
"group": "Hurricane Panda",
"refs": ["http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/"],
"country": "CN"
},
{
"group": "Emissary Panda",
"refs": ["http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/"],
"country": "CN", "country": "CN",
"synonyms": ["TG-3390","APT 27","TEMP.Hippo","Group 35","HIPPOTeam","APT27"] "refs": [
"http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/"
],
"group": "Hurricane Panda"
}, },
{ {
"group": "Stone Panda", "synonyms": [
"TG-3390",
"APT 27",
"TEMP.Hippo",
"Group 35",
"HIPPOTeam",
"APT27"
],
"country": "CN", "country": "CN",
"synonyms": ["APT10","APT 10","menuPass","happyyongzi","POTASSIUM"] "refs": [
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/"
],
"group": "Emissary Panda"
}, },
{ {
"group": "Nightshade Panda", "synonyms": [
"refs": ["https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/"], "APT10",
"APT 10",
"menuPass",
"happyyongzi",
"POTASSIUM"
],
"country": "CN", "country": "CN",
"synonyms": ["APT 9","Flowerlady/Flowershow","Flowerlady","Flowershow"] "group": "Stone Panda"
}, },
{ {
"group": "Hellsing", "synonyms": [
"refs": ["https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/"], "APT 9",
"Flowerlady/Flowershow",
"Flowerlady",
"Flowershow"
],
"country": "CN", "country": "CN",
"synonyms": ["Goblin Panda","Cycldek"] "refs": [
"https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/"
],
"group": "Nightshade Panda"
}, },
{ {
"group": "Night Dragon", "synonyms": [
"refs": ["https://kc.mcafee.com/corporate/index?page=content&id=KB71150"], "Goblin Panda",
"country": "CN" "Cycldek"
}, ],
{
"group": "Mirage",
"refs": ["https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html"],
"country": "CN", "country": "CN",
"synonyms": ["Vixen Panda","Ke3Chang","GREF", "Playful Dragon"] "refs": [
"https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/"
],
"group": "Hellsing"
}, },
{ {
"group": "Anchor Panda",
"refs": ["http://www.crowdstrike.com/blog/whois-anchor-panda/"],
"synonyms": ["APT14","APT 14","QAZTeam","ALUMINUM"],
"country": "CN"
},
{
"group": "NetTraveler",
"refs": ["https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/"],
"country": "CN"
},
{
"group": "Ice Fog",
"refs": ["https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/"],
"country": "CN", "country": "CN",
"synomyns": ["IceFog","Dagger Panda"] "refs": [
"https://kc.mcafee.com/corporate/index?page=content&id=KB71150"
],
"group": "Night Dragon"
}, },
{ {
"group": "Pitty Panda", "synonyms": [
"Vixen Panda",
"Ke3Chang",
"GREF",
"Playful Dragon"
],
"country": "CN", "country": "CN",
"synonyms": ["PittyTiger", "MANGANESE"] "refs": [
"https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html"
],
"group": "Mirage"
}, },
{ {
"group": "HiddenLynx",
"refs": ["http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf"],
"country": "CN"
},
{
"group": "Beijing Group",
"country": "CN"
},
{
"group": "Radio Panda",
"country": "CN"
},
{
"group": "Dagger Panda",
"country": "CN"
},
{
"group": "Samurai Panda",
"refs": ["http://www.crowdstrike.com/blog/whois-samurai-panda/"],
"country": "CN", "country": "CN",
"synonyms": ["PLA Navy","APT4","APT 4"] "synonyms": [
"APT14",
"APT 14",
"QAZTeam",
"ALUMINUM"
],
"refs": [
"http://www.crowdstrike.com/blog/whois-anchor-panda/"
],
"group": "Anchor Panda"
}, },
{ {
"group": "Impersonating Panda", "country": "CN",
"country": "CN" "refs": [
"https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/"
],
"group": "NetTraveler"
}, },
{ {
"group": "Violin Panda", "synomyns": [
"synonyms": ["APT20","APT 20","TH3Bug"], "IceFog",
"country": "CN" "Dagger Panda"
],
"country": "CN",
"refs": [
"https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/"
],
"group": "Ice Fog"
}, },
{ {
"group": "Toxic Panda", "synonyms": [
"refs": ["http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"], "PittyTiger",
"MANGANESE"
],
"country": "CN",
"group": "Pitty Panda"
},
{
"country": "CN",
"refs": [
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf"
],
"group": "HiddenLynx"
},
{
"country": "CN",
"group": "Beijing Group"
},
{
"country": "CN",
"group": "Radio Panda"
},
{
"country": "CN",
"group": "Dagger Panda"
},
{
"synonyms": [
"PLA Navy",
"APT4",
"APT 4"
],
"country": "CN",
"refs": [
"http://www.crowdstrike.com/blog/whois-samurai-panda/"
],
"group": "Samurai Panda"
},
{
"country": "CN",
"group": "Impersonating Panda"
},
{
"country": "CN",
"synonyms": [
"APT20",
"APT 20",
"TH3Bug"
],
"group": "Violin Panda"
},
{
"country": "CN",
"description": "A group targeting dissident groups in China and at the boundaries.", "description": "A group targeting dissident groups in China and at the boundaries.",
"country": "CN" "refs": [
"http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
],
"group": "Toxic Panda"
}, },
{ {
"group": "Temper Panda", "synonyms": [
"refs": ["https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html"], "Admin338",
"Team338",
"MAGNESIUM",
"admin@338"
],
"country": "CN", "country": "CN",
"synonyms": ["Admin338","Team338","MAGNESIUM","admin@338"] "refs": [
"https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html"
],
"group": "Temper Panda"
}, },
{ {
"group": "Pirate Panda", "country": "CN",
"synonyms": [ "APT23", "KeyBoy" ], "synonyms": [
"country": "CN" "APT23",
"KeyBoy"
],
"group": "Pirate Panda"
}, },
{ {
"group": "Flying Kitten", "country": "IR",
"synonyms": ["SaffronRose","AjaxSecurityTeam"], "synonyms": [
"country": "IR" "SaffronRose",
"AjaxSecurityTeam"
],
"group": "Flying Kitten"
}, },
{ {
"group": "Cutting Kitten", "country": "IR",
"synonyms": ["ITSecTeam"], "synonyms": [
"country": "IR" "ITSecTeam"
],
"group": "Cutting Kitten"
}, },
{ {
"group": "Charming Kitten", "country": "IR",
"synonyms": ["Newscaster", "Parastoo"], "synonyms": [
"country": "IR" "Newscaster",
"Parastoo"
],
"group": "Charming Kitten"
}, },
{ {
"group": "Magic Kitten", "country": "IR",
"refs": [
"http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/"
],
"description": "An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition ", "description": "An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition ",
"refs": ["http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/"], "group": "Magic Kitten"
"country": "IR"
}, },
{ {
"group": "Rebel Jackal",
"synonyms": ["FallagaTeam"],
"country": "TN"
},
{
"group": "Viking Jackal",
"synonyms": ["Vikingdom"],
"country": "AE"
},
{
"group": "Sofacy",
"description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.",
"refs": ["https://en.wikipedia.org/wiki/Sofacy_Group"],
"country": "RU",
"synonyms": ["APT 28", "APT28", "Pawn Storm", "Fancy Bear", "Sednit", "TsarTeam"]
},
{
"group": "APT 29",
"refs": ["https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/"],
"country": "RU",
"synonyms": ["Dukes", "Group 100", "Cozy Duke", "CozyDuke", "EuroAPT", "CozyBear", "CozyCar", "Cozer", "Office Monkeys", "OfficeMonkeys", "APT29"]
},
{
"group": "Turla Group",
"country": "RU",
"synonyms": ["Turla", "Snake", "Venomous Bear", "Group 88"]
},
{
"group": "Energetic Bear",
"description": "A Russian group that collects intelligence on the energy industry.",
"refs": ["http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/"],
"country": "RU",
"synonyms": ["Dragonfly", "Crouching Yeti", "Group 24", "Havex", "CrouchingYeti"]
},
{
"group": "Sandworm",
"refs": ["http://www.isightpartners.com/2014/10/cve-2014-4114/"],
"country": "RU",
"synonyms": ["Sandworm Team"]
},
{
"group": "Anunak",
"description": "Groups targeting financial organizations or people with significant financial assets.",
"country": "RU",
"synonyms": ["Carbanak"]
},
{
"group": "TeamSpy Crew",
"refs": ["https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/"],
"country": "RU",
"synonyms": ["TeamSpy","Team Bear"]
},
{
"group": "BuhTrap",
"refs": ["http://www.welivesecurity.com/2015/11/11/operathion-buhtrap-malware-distributed-via-ammyy-com/"],
"country": "RU",
"synonyms": [""]
},
{
"group": "Berserk Bear",
"country": "RU"
},
{
"group": "Wolf Spider",
"country": "RO"
},
{
"group": "Boulder Bear",
"country": "RU"
},
{
"group": "Shark Spider",
"country": "RU"
},
{
"group": "Silent Chollima",
"synonyms": ["OperationTroy"],
"country": "KP"
},
{
"group": "Viceroy Tiger",
"country": "IN",
"synonyms": ["Appin","OperationHangover"]
},
{
"group": "Pizzo Spider",
"country": "US",
"synonyms": ["DD4BC","Ambiorx"]
},
{
"group": "Corsair Jackal",
"country": "TN", "country": "TN",
"synonyms": ["TunisianCyberArmy"] "synonyms": [
"FallagaTeam"
],
"group": "Rebel Jackal"
}, },
{ {
"group": "Deadeye Jackal", "country": "AE",
"description": "The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. As of 2011 the SEA has been *the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies*. The precise nature of SEA's relationship with the Syrian government has changed over time and is unclear", "synonyms": [
"refs": ["https://en.wikipedia.org/wiki/Syrian_Electronic_Army"], "Vikingdom"
],
"group": "Viking Jackal"
},
{
"synonyms": [
"APT 28",
"APT28",
"Pawn Storm",
"Fancy Bear",
"Sednit",
"TsarTeam"
],
"country": "RU",
"refs": [
"https://en.wikipedia.org/wiki/Sofacy_Group"
],
"description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.",
"group": "Sofacy"
},
{
"synonyms": [
"Dukes",
"Group 100",
"Cozy Duke",
"CozyDuke",
"EuroAPT",
"CozyBear",
"CozyCar",
"Cozer",
"Office Monkeys",
"OfficeMonkeys",
"APT29"
],
"country": "RU",
"refs": [
"https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/"
],
"group": "APT 29"
},
{
"synonyms": [
"Turla",
"Snake",
"Venomous Bear",
"Group 88"
],
"country": "RU",
"group": "Turla Group"
},
{
"synonyms": [
"Dragonfly",
"Crouching Yeti",
"Group 24",
"Havex",
"CrouchingYeti"
],
"country": "RU",
"refs": [
"http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/"
],
"description": "A Russian group that collects intelligence on the energy industry.",
"group": "Energetic Bear"
},
{
"synonyms": [
"Sandworm Team"
],
"country": "RU",
"refs": [
"http://www.isightpartners.com/2014/10/cve-2014-4114/"
],
"group": "Sandworm"
},
{
"synonyms": [
"Carbanak"
],
"country": "RU",
"description": "Groups targeting financial organizations or people with significant financial assets.",
"group": "Anunak"
},
{
"synonyms": [
"TeamSpy",
"Team Bear"
],
"country": "RU",
"refs": [
"https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/"
],
"group": "TeamSpy Crew"
},
{
"synonyms": [
""
],
"country": "RU",
"refs": [
"http://www.welivesecurity.com/2015/11/11/operathion-buhtrap-malware-distributed-via-ammyy-com/"
],
"group": "BuhTrap"
},
{
"country": "RU",
"group": "Berserk Bear"
},
{
"country": "RO",
"group": "Wolf Spider"
},
{
"country": "RU",
"group": "Boulder Bear"
},
{
"country": "RU",
"group": "Shark Spider"
},
{
"country": "KP",
"synonyms": [
"OperationTroy"
],
"group": "Silent Chollima"
},
{
"synonyms": [
"Appin",
"OperationHangover"
],
"country": "IN",
"group": "Viceroy Tiger"
},
{
"synonyms": [
"DD4BC",
"Ambiorx"
],
"country": "US",
"group": "Pizzo Spider"
},
{
"synonyms": [
"TunisianCyberArmy"
],
"country": "TN",
"group": "Corsair Jackal"
},
{
"synonyms": [
"SyrianElectronicArmy",
"SEA"
],
"country": "SY", "country": "SY",
"synonyms": ["SyrianElectronicArmy", "SEA"] "refs": [
"https://en.wikipedia.org/wiki/Syrian_Electronic_Army"
],
"description": "The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. As of 2011 the SEA has been *the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies*. The precise nature of SEA's relationship with the Syrian government has changed over time and is unclear",
"group": "Deadeye Jackal"
} }
] ],
"groups": [
"Comment Crew",
"Putter Panda",
"Sofacy",
"APT 29",
"Turla Group",
"Energetic Bear",
"Sandworm",
"Anunak",
"TeamSpy Crew",
"BuhTrap",
"Putter Panda",
"UPS",
"IXESHE",
"APT 16",
"Aurora Panda",
"Wekby",
"Axiom",
"Shell Crew",
"Naikon",
"Lotus Blossom",
"Hurricane Panda",
"Emissary Panda",
"Stone Panda",
"Nightshade Panda",
"Hellsing",
"Night Dragon",
"Mirage",
"Anchor Panda",
"NetTraveler",
"Ice Fog",
"HiddenLynx",
"Beijing Group",
"Pirate Panda",
"Radio Panda",
"Dagger Panda",
"Samurai Panda",
"Impersonating Panda",
"Violin Panda",
"Toxic Panda",
"Temper Panda",
"Flying Kitten",
"Viking Jackal",
"Cutting Kitten",
"Rebel Jackal",
"Stalker Panda",
"Berserk Bear",
"Dizzy Panda",
"Predator Panda",
"Pitty Panda",
"Wet Panda",
"Union Panda",
"Wolf Spider",
"Boulder Bear",
"Lotus Panda",
"Shark Spider",
"Silent Chollima",
"Viceroy Tiger",
"Pizzo Spider",
"Corsair Jackal",
"Charming Kitten",
"Deadeye Jackal",
"Spicy Panda",
"Magic Kitten"
],
"type": "Adversary Groups",
"authors": [
"Alexandre Dulaunoy",
"Florian Roth",
"Thomas Schreck",
"Various"
],
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
"version": 1
} }